- From: Paul B. Hill <pbh@MIT.EDU>
- Date: Wed, 15 Nov 2006 09:21:10 -0500
- To: <public-wsc-wg@w3.org>
Hi, The group should be aware that a relevant draft has been submitted to the IETF. Abstract This memo proposes requirements for protocols between web identity providers and users and for requirements for protocols between identity providers and relying parties. These requirements minimize the likelihood that criminals will be able to gain the credentials necessary to impersonate a user or be able to fraudulently convince users to disclose personal information. To meet these requirements browsers must change. Websites must never receive information such as passwords that can be used to impersonate the user to third parties. Browsers should perform mutual authentication and flag situations when the target website is not authorized to accept the identity being offered as this is a strong indication of fraud. A copy of the most recent draft can be found at <http://www.ietf.org/internet-drafts/draft-hartman-webauth-phishing-02.txt>. If anyone in the group has comments about the content, or suggested changes, they should be provided to the author as soon as possible. The author expects to request publication as an RFC in the near future. Paul Hill
Received on Wednesday, 15 November 2006 18:39:06 UTC